Monday, June 27, 2011

Ten Rules for Cyber Security

Is these Ten Rules should be addressed in a comprehensive legal approach to cyber security?

Before the Estonian incident, organisations tended to treat their risks and arrangements in isolation. Cyber security was merely the sum of individual contingency plans having little to do with more temic risks.

The spectrum of cyber conflict ranges from breaches of internal policy or regulations (not patching software, for example) to breaches of legal obligations (such as not reporting illegal activity) to crime to national-security threats to outright cyber warfare ("cyber armed attack").

Ten rules focused on issues and working solutions arising from discussions among experts or in the course of cyber-incident handling can be identified:

1. The Territoriality Rule2. The Responsibility Rule3. The Cooperation Rule4. The Self-Defence Rule5. The Data Protection Rule6. The Duty of Care Rule7. The Early Warning Rule8. The Access to Information Rule9. The Criminality Rule10. The Mandate Rule

In this paper, the Author analyses these ten rules that outline key concepts and areas that must be included or addressed in a comprehensive legal approach to cyber security. They are intended to raise awareness about existing legal complications involving cyber security and the ways to overcome them, to serve as a focus for debate and coordination within and across disciplines, and to inform wellgrounded proposals for additional legislation on the international level.